3c76a1ce29594493d952738f9ca57fbd3aaf3edee5f41a69b5a0e8fe8def0823

General

Target

TeamPublisherUserSetup.exe
Size

7.3MB
MD5

98ba705a7068a25ad3e8f244d622e72a
SHA1

31b6c4cf406cd94f81c67d16d7d79b727978b1c4
SHA256

407eddf509e809d9536b4ce187bf9725c291ce15e969e9d7070dc8624d235f6d
SHA512

4f0443b4620ec4bb5afbb7c6655b47e254e24c2d2fd3765fbac06a99c65b295590f706d2595c205a7de5ae63dc313fada2dd018577947e0652f107c8c6053e1f
SSDEEP

196608:tdlGEazRT5voP2S/l/vXBzDBHEESaGtHe9uzIOBlQ2tBMJ0UhP:xcNoP2S/J/NBkESaGtHpXlQ2g6Ud

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2716	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2716	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2716	MSIEXEC.EXE
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeCreateTokenPrivilege	2716	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2716	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2716	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2716	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2716	MSIEXEC.EXE
Token: SeTcbPrivilege	2716	MSIEXEC.EXE
Token: SeSecurityPrivilege	2716	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2716	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2716	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2716	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2716	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2716	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2716	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2716	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2716	MSIEXEC.EXE
Token: SeBackupPrivilege	2716	MSIEXEC.EXE
Token: SeRestorePrivilege	2716	MSIEXEC.EXE
Token: SeShutdownPrivilege	2716	MSIEXEC.EXE
Token: SeDebugPrivilege	2716	MSIEXEC.EXE
Token: SeAuditPrivilege	2716	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2716	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2716	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2716	MSIEXEC.EXE
Token: SeUndockPrivilege	2716	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2716	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2716	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2716	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2716	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2716	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2716	2416	TeamPublisherUserSetup.exe	30
PID 2416 wrote to memory of 2716	2416	TeamPublisherUserSetup.exe	30
PID 2416 wrote to memory of 2716	2416	TeamPublisherUserSetup.exe	30
PID 2416 wrote to memory of 2716	2416	TeamPublisherUserSetup.exe	30
PID 2416 wrote to memory of 2716	2416	TeamPublisherUserSetup.exe	30
PID 2416 wrote to memory of 2716	2416	TeamPublisherUserSetup.exe	30
PID 2416 wrote to memory of 2716	2416	TeamPublisherUserSetup.exe	30

C:\Users\Admin\AppData\Local\Temp\TeamPublisherUserSetup.exe
"C:\Users\Admin\AppData\Local\Temp\TeamPublisherUserSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{AB228304-86E2-4391-8F81-9D811246A28E}\Team Publisher User Tool.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="TeamPublisherUserSetup.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Downloaded Installations\{AB228304-86E2-4391-8F81-9D811246A28E}\Team Publisher User Tool.msi

Filesize
7.3MB

MD5
a0c2f531db57456b578c9bc81e9d6f0d

SHA1
f936b9c2f4319d367c175482a9bd500b9b1a5372

SHA256
2ed3a38aac262b20b83519e895864923978d83d6ef1e4597adc6c8135fa8ee9a

SHA512
ede4a4bc795a97a23e054282710763ef5fc6147926c818aecc304f8b496bf2a5943260c9348394fc3eb9a028135653dd005823da3abbc529a825c0a5a0bfd53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isAD75.tmp

Filesize
1KB

MD5
4ed52c6735b424d7848d546f28a02aef

SHA1
300403e9a14d718be38bb8dfc78ec1d3216260cf

SHA256
c82e1e7b56135be74bb5a50f2528c4abc8c0a6b7906dc42803ef1f4e9e1c9222

SHA512
1fcbf7ae8fd7d88ae856c7763343f2eb244c648ab106bc109c22f9e4aded34e10e31bc9e692d7dfada556b5eac2420ded267cc70073902adb1b55286984cc367

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8673F4A1-66B4-4AF6-83AC-B8C428FC8C36}\0x0409.ini

Filesize
13KB

MD5
758747727e96a23c7c5a5bbb011656e4

SHA1
51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9

SHA256
bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825

SHA512
21ff9d365beb1b7809b89d540f41bf330515f05f6211c8327be43baf1f050e46ecc1654b0696e7c82a2a803267e38d780ffd83dea7448861f6e3b84838685627

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8673F4A1-66B4-4AF6-83AC-B8C428FC8C36}\Setup.INI

Filesize
2KB

MD5
69a5fd7cddcea178f4c17cfbc25d7645

SHA1
90a0447f33dd1b0c636cefb153eaf0639c0f465d

SHA256
440aedae2e3cacbc9fce444dfbd6b267a855d469593427c90fd37d3dcb501bcc

SHA512
f8bf3512f12bdc085cceaf0f4a4410c786cf304234483b57f8626fd4526e32c600aeed01681e7ceec3d0e290f15e30302bd1a3a765959a7c99e25e32a0ff74d1

Download Submit

Analysis

Sharing